ASSP start up errors

Error messages noted when ASSP starts.
Is there a recommended way to load ASSP_AFC? Or is this a PERL
configuration issue?

using Perl /usr/bin/perl version 5.018002 (5.18.2), all Perl features
for 5.18 are enabled
compiling code and check code integrity - please wait .....
checking config in /usr/local/bin/assp2/assp.cfg [OK]
error: preload plugin ASSP_AFC failed in 'use' -
Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
...[other similar errors]...
Bareword "ARCHIVE_OK" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Bareword "ARCHIVE_WARN" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Compilation failed in require at (eval 29) line 2.
BEGIN failed--compilation aborted at (eval 29) line 2.

Could not expand [Archive::Extract::TGZ]. Check the module name.
I can suggest names if you install one of Text::Levenshtein::XS,
Text::Levenshtein::Damerau::XS, Text::Levenshtein, and
Text::Levenshtein::Damerau::PP
Skipping Archive::Extract::TGZ because I couldn't find a matching namespace.

Error messages noted when ASSP starts.
Is there a recommended way to load ASSP_AFC? Or is this a PERL
configuration issue?

using Perl /usr/bin/perl version 5.018002 (5.18.2), all Perl features
for 5.18 are enabled
compiling code and check code integrity - please wait .....
checking config in /usr/local/bin/assp2/assp.cfg
[OK]
error: preload plugin ASSP_AFC failed in 'use' -
Bareword "Archive::Extract::TGZ" not allowed while "strict
subs" in use
at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
...[other similar errors]...
Bareword "ARCHIVE_OK" not allowed while "strict subs"
in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Bareword "ARCHIVE_WARN" not allowed while "strict subs"
in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Compilation failed in require at (eval 29) line 2.
BEGIN failed--compilation aborted at (eval 29) line 2.

Could not expand [Archive::Extract::TGZ]. Check the module name.
I can suggest names if you install one of Text::Levenshtein::XS,
Text::Levenshtein::Damerau::XS, Text::Levenshtein, and
Text::Levenshtein::Damerau::PP
Skipping Archive::Extract::TGZ because I couldn't find a matching namespace.

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************

Re: ASSP start up errors

On 06/30/2017 11:03 PM, Thomas Eckardt wrote:
>> Is there a recommended way to load ASSP_AFC? Or is this a PERL
> configuration issue?
>
> seems your ASSP_AFC.pm is outdated.
>
It is the version distributed with ASSP 2.5.5 (17030):
103060 Feb 28 09:33 ASSP_AFC.pm

On 06/30/2017 11:03 PM, Thomas Eckardt wrote:
>> Is there a recommended way to load ASSP_AFC? Or is this a PERL
> configuration issue?
>
> seems your ASSP_AFC.pm is outdated.
>
It is the version distributed with ASSP 2.5.5 (17030):
103060 Feb 28 09:33 ASSP_AFC.pm

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************

Re: {DKIM Fail} ASSP start up errors

On 06/29/2017 01:25 PM, James Moe wrote:
>
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
> ...[other similar errors]...
>
No one knows what these errors are, then.
I'll treat them as "known good errors" and move on.

On 06/29/2017 01:25 PM, James Moe wrote:
>
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict
subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
> ...[other similar errors]...
>
No one knows what these errors are, then.
I'll treat them as "known good errors" and move on.

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************

Re: Attachment from "good" list blocked

There is no "killswitch"
for the locky virus detection.The only way to detect these viruses
is the check for : 'string.prototype.' and 'charAt' in JS code. Both statements
should be never used in an email.

If you want those mails to be passed
by ASSP_AFC, you need to switch off the 'exe-bin' detection completely
for all or specific addresses/domains..

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************

Re: Attachment from "good" list blocked

I had this removed from "block" for these domains, but blocking was
still occurring.

I've added it to "good" and I'll see what happens.

- Bob

On 7/31/2017 4:49 AM, Thomas Eckardt wrote:
> There is no "killswitch" for the locky virus detection.
> The only way to detect these viruses is the check for :
> 'string.prototype.' and 'charAt' in JS code. Both statements should be
> never used in an email.
>
> If you want those mails to be passed by ASSP_AFC, you need to switch off
> the 'exe-bin' detection completely for all or specific addresses/domains..
>

Re: Attachment from "good" list blocked

Nothing changes! There is no 'good'
check for executable attachments and embedded executable JS code.

I released ASSP_AFC 4.56. It contains
such a killswitch (general switch off). It is hidden AND IT IS NONSENSE
to use it.

I was the last month involved in the
recovery of 4.500 windows servers and 12.000 windows client systems, which
were destroyed worldwide (150 locations) in less than 30 minutes and had
to be recoverd from backup or new installed from scratch.NEVER EVER let such code pass your walls.

I had this removed from "block" for these
domains, but blocking was
still occurring.

I've added it to "good" and I'll see what happens.

- Bob

On 7/31/2017 4:49 AM, Thomas Eckardt wrote:
> There is no "killswitch" for the locky virus detection.
> The only way to detect these viruses is the check for :
> 'string.prototype.' and 'charAt' in JS code. Both statements should
be
> never used in an email.
>
> If you want those mails to be passed by ASSP_AFC, you need to switch
off
> the 'exe-bin' detection completely for all or specific addresses/domains..
>

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************

Re: Attachment from "good" list blocked

Thanks Thomas.

I agree with you. I would remove the killswitch from future versions of
the plugin.

I audited the last month of logs, and I found 11 domains for which this
locky test was triggered. All of them are financial companies like
banks and mortgage lenders. I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question. I'd have to audit every
single email to be sure. One is a major bank, the rest are regional or
even local. They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.

My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.

I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.

- Bob

On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
> >I've added it to "good" and I'll see what happens.
>
> Nothing changes! There is no 'good' check for executable attachments and
> embedded executable JS code.
>
> I released ASSP_AFC 4.56. It contains such a killswitch (general switch
> off). It is hidden AND IT IS NONSENSE to use it.
>

I agree with you. I would remove the killswitch from future versions
of
the plugin.

I audited the last month of logs, and I found 11 domains for which this
locky test was triggered. All of them are financial companies like
banks and mortgage lenders. I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question. I'd have to audit every
single email to be sure. One is a major bank, the rest are regional
or
even local. They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.

My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.

I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.

- Bob

On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
> >I've added it to "good" and I'll see what happens.
>
> Nothing changes! There is no 'good' check for executable attachments
and
> embedded executable JS code.
>
> I released ASSP_AFC 4.56. It contains such a killswitch (general switch
> off). It is hidden AND IT IS NONSENSE to use it.
>

DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of
the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
*******************************************************